Atozed Forums

Full Version: SA HTTPSYS Windows login name
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi all,

Using a Stand Alone HTTP.SYS program as a service, running on a server:

What is the right/best way of getting either the windows login name, or any other unique information identifying the logged on user ?

I want to save users individual selections for various functions, so that the next time they use the function again, the last used selections are shown, regardless of which workstation they are logged on to. We are talking about the conditions in the where clauses of select statements. I need some kind of unique information, identifying each user. Like the Windows logon name.

Regards
Soren
By the logged on user do you mean the user that the service is running under or the user of the web browser accessing your application?

If the user of the web browser - generally not possible except by special MS extensions which are largely nerfed (see below) long ago for security and compatibility reasons. For such users you need to present a log in screen using many of the available methods in IntraWeb to do this.

You can use NTLM, but not advised because of all the complexities and restrictions:
http://help.sonicwall.com/help/sw/eng/67...27.16.html
Yes, It was the user of the web browser accessing the service, I was thinking about, but any unique identification would work.

Alternatively it could be the name, or even the IP no, of the machine running the browser. It's not as good as the users logon name, but usable as most users are using the same machine for their daily work.
Machine name is a security concern so it is locked down in general today as well.

IP is not reliable. Several people can share external IPs, especially in a NAT setup which is very common.

As I suggested before, you can ask the user to log in. Or if you only care to ID them but not secure their login, just issue a unique cookie.
Is this for a fixed set of users?  That is, not "open to the public"?

If so, you can use an option that relies on cookies to identify a specific machine.  Not perfect, but would be more effective than IP based.

Do you need to know explicitly which machine is accessing?  If so, create a "configuration" process where a reliable user (aka administrator) executes a process that loads a non expiring cookie on the machine.  Encrypt the cookie contents.  Using the decrypted contents, you can set up something on the server to identify the machine

Well, it will identify a the browser on the machine, you'll really need to use the cookie:browser pair.

If you do NOT need to explicitly know which machine then set that "configuration" process to work automatically.  If you don't find a valid cookie on startup then create one that continues to identify that particular machine (though you don't know where it is).

Not pretty, but most of the other options are (or will be) blocked.  Even the cookie option will probably need authorization but is likely to work for a longer term.  Getting specific machine information is going to be very difficult long term, as Chad said.  Security folks will probably stop whatever else you try, if they haven't already.

It's not pretty, and it's not foolproof, but is likely to work for what you mentioned.

Dan
(07-23-2019, 04:58 AM)SorenJensen Wrote: [ -> ]Hi all,

Using a Stand Alone HTTP.SYS program as a service, running on a server:

What is the right/best way of getting either the windows login name, or any other unique information identifying the logged on user ?

I want to save users individual selections for various functions, so that the next time they use the function again, the last used selections are shown, regardless of which workstation they are logged on to. We are talking about the conditions in the where clauses of select statements. I need some kind of unique information, identifying each user. Like the Windows logon name.

Regards
Soren

That's an interesting subject (which I personally like). It is not possible to retrieve this information on modern browsers because of security reasons, as pointed out above.

Lots of companies would love to get this information (including Google, Facebook, etc) so they could know who you are and "sell" you the things that they know that you like.

It doesn't mean that there is no way to do this using other techniques. This "feature" is called browser fingerprinting. It has several practical applications, and not all are bad, as fraud prevention and user session tracking.

There are some free JS libraries which implement it and would be simple to use with IW. Of course, it could be *much* more than your requirements but, as a curiosity, here it goes:

https://clientjs.org/

https://fingerprintjs.com

https://github.com/Valve/fingerprintjs2



I remember I used ClientJS in a project in the past...
Thank you all for your valued replies.

The function I want to implement, is for a limited number of users, max. 20, inside a secure intranet, all working within the same department.

I want to automatically save the values users put into the fields on screen (to limit the result of a search / print), to allow the users to reuse them rather than having to enter all the information again and again. And when multiple saved values is available, then let the users choose which one to use as base for the next search/print. There is no secret or personal user information involved.

As I want to save the data in a table, I hoped to have some unique user identifier available, but as that is not as easy as I hoped it would be, I will use the function name as main id, and then add date/time, to allow for multiple rows for each function, and in stead propose the youngest and let the users choose for multiple values, when available. 


Once again, thank you all for your inputs :-)

Regards
Soren